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INTRODUCTION 


Terrorism,  including  cyber  attacks,  is  foremost  in  military  minds  as  the  year  2002 
unfolds.  While  enemy  cyber  attacks  on  networks  are  a  legitimate  concern,  this  author’s  thesis 
is  internal  (non-enemy)  issues  are  the  most  likely  nemesis  to  timely,  accurate  electronic 
information  gathering  and  management  for  the  Commanders-in-Chief  (CINCs). 

The  CINCs’  vulnerability  to  receiving  untimely  or  inaccurate  information  is  high 
because  of  actions  by  their  own  users  and  systems  administrators  along  with  decisions  made 
at  Service  and  DOD  levels.  By  concentrating  their  efforts  on  issues  within  their  immediate 
control,  CINCs  can  eliminate  some  actions  which  delay  or  corrupt  information  and 
significantly  improve  their  odds  of  having  timely,  accurate  information.  Discussion  of 
intelligence  systems  are  beyond  the  scope  of  this  paper;  however,  they  have  problems 
comparable  to  some  covered  here  and  should  undergo  similar  analysis. 

This  paper  focuses  on  three  internal  areas:  problems  caused  by  deliberate  personnel 
actions/decisions,  inadequate  security,  and  lack  of  interoperability.  These  areas,  not  all 
inclusive,  illustrate  the  magnitude  of  internal  issues  facing  CINCs,  even  though  the  external 
issues  seem  to  generate  the  more  sensational  commentary  and  subsequent  concern.  Coming 
to  grips  with  the  internal  issues  and  implementing  solutions  is  not  necessarily  extremely 
technical  or  highly  expensive.  It  will,  however,  require  strong  advocacy  from  the  CINCs. 

Examples  are  used  to  illustrate  current  internal  concerns,  followed  by  a  counter¬ 
argument  from  an  opponent’s  point  of  view  that  external  (enemy)  attacks  are  the  most  likely 
threat  to  CINCs’  information.  Next,  conclusions  drawn  from  the  internal  and  external 
problems  are  presented.  Lastly,  recommended  actions  for  CINCs  concerning  items  within 
their  sphere  of  control  or  influence  are  provided. 
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DELIBERATE  PERSONNEL  ACTIONS/DECISIONS 


First,  let’s  look  at  problems  caused  by  personnel  actions,  both  non-malicious  and 
malicious.  While  DOD  ensures  background  checks  are  done  before  someone  receives  a 
security  clearance  for  access  to  classified  information,  little  training  is  currently  required 
before  that  same  person  is  allowed  to  have  an  account  on  a  network.  Training  and  guidance 
have  not  kept  pace  with  the  rapid  proliferation  of  networks;  therefore,  people  are  doing  things 
that  significantly  affect  network  integrity  and  the  information  accessible  through  that  network. 
Also,  existing  guidance  does  not  always  get  widely  disseminated  and/or  people  are  not 
following  it.  Enforcement  of  accountability  for  actions  is  non-existent  or  inconsistent. 

For  example,  both  training  and  guidance  are  critical  in  password  selection— a  key  pre¬ 
requisite  to  network  usage.  Despite  DOD  policy  dictating  minimum  standards  for  passwords, 
some  systems  do  not  require  specific  criteria;  therefore,  users  often  select  easy  to  crack 
passwords.  According  to  Major  General  Dave  Bryan,  USA,  Commander  of  Joint  Task  Force- 
Computer  Network  Operations  (JTF-CNO),  the  most  common  password  at  DOD  is 
“password.”* 

Additionally,  some  users  have  the  same  password  on  multiple  systems,  share 
passwords  with  co-workers,  do  not  use  password-protected  screen  savers,  or  record  passwords 
either  on  paper  in  an  easily  accessible  location  or  in  a  file  on  the  network.  Users  want 
passwords  that  are  easy  to  remember,  the  ability  to  utilize  the  same  password  for  access  to 
more  than  one  system,  and  aid  co-workers  during  absences;  however,  these  sloppy  practices 
play  right  into  the  hand  of  a  malicious  insider.  While  desiring  to  trust  fellow  workers, 

everyone  must  “address  the  sobering  fact  that  a  majority  of  threats  to  proprietary  information 
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today  originate  within  the  pool  of  authorized  users.’ 

Other  user-controllable  items  affecting  information  integrity  are  installing  software  or 
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hardware  without  proper  consent,  introducing  disks  or  files  to  the  system  from  outside  sources 
without  running  a  virus  scanner,  and  using  non-tested  applications.  Also,  users  sometimes 
contribute  to  the  magnitude  of  a  computer  problem  by  not  having  a  backup  of  their  files. 

Users  and  system  administrators  need  to  work  together  to  determine  who  does  the  backups, 
when  they  are  done,  and  where  they  are  stored.  Then,  if  there  is  a  loss  of  information,  the 
restoral  time  and  re-creation  time  is  minimized. 

System  administrators  also  take  actions  to  make  their  job  easier,  but  at  the  expense  of 
security.  As  the  General  Accounting  Office’s  (GAO)  chief  technologist,  Keith  Rhodes,  said, 
“workers,  disgruntled  or  not,  leave  open  back  doors  and  work  around  security  measures  for 
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convenience.’  Also,  creating  and  managing  access  policies  and  keeping  user  access 
information  current  are  labor-intensive,  leaving  network  access  prone  to  being  too  permissive 
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or  out-of-date.  Additionally,  changes  to  the  user’s  capabilities  can  be  cumbersome, 
especially  during  a  rapid  deployment  for  a  contingency. 

Service  and  DOD  level  decision  makers  are  charging  full  speed  ahead  directing 
implementation  of  network  and  web-based  technology;  however,  the  ripple  effect  of  their 
actions  is  taxing  both  users  and  system  administrators.  Network  operations  are  complex,  but 
the  biggest  hurdles  are  not  technical.  As  illustrated  in  the  recent  installation  of  a  new  Navy 
network  on  the  USS  NIMITZ  (CVN-68),  the  insufficient  support  tail  of  training, 
documentation,  and  repair  parts  were  key  contributors  to  the  determination  the  network  “fails 
to  adequately  support  mission  requirements.  ^ 

Another  example  concerns  the  Theater  Battle  Management  Core  System  (TBMCS). 
The  combining  of  three  older  programs  into  this  one  system  for  air  battle  management, 
including  producing  the  air  tasking  order,  has  advantages;  however,  as  the  program  managers 
acknowledge,  it  is  a  complex  system  that  can  overwhelm  untrained  people.*’  The  Marines, 
expressing  concerns  about  training,  initially  declined  to  vote  for  TBMCS. ^ 

The  two  examples  above  point  out  that  leaders  and  program  managers,  while  anxious 


3 


to  get  new  capabilities  to  the  user,  must  consider  the  complete  picture  before  installing 
systems.  If  people  are  not  properly  trained,  it  is  almost  inevitable  they  will  input  information 
incorrectly,  be  less  efficient,  or  in  some  other  way  affect  the  timely  transmission  of 
information.  Additionally,  a  distinct  line  between  theater-level  systems  and  other  systems 
does  not  exist— the  systems  are  sharing  the  same  networks— so  even  non-theater  systems 
processing  finance  or  personnel  data  could  negatively  affect  the  CINCs’  ability  to  get  timely, 
accurate  information. 

If  the  user  of  that  finance  or  personnel  system  generates  a  problem  or  a  system  outage 
occurs  in  one  portion  of  the  network,  it  can  impact  CINC’s  users  in  another  part  of  the 
network.  Some  networks  have  tools  to  detect  problems  and  automatically  take  action  to 
correct  the  situation.  This  is  normally  an  efficient  method;  however,  it  is  based  on  priorities 
for  the  whole  network  and  can  trigger  a  cascading  effect  as  lower  priority  users  are 
disconnected  in  order  to  reconnect  higher  priority  users.  Not  every  user  is  a  “high  priority” 
user;  therefore,  some  are  going  to  be  disconnected  for  an  undetermined  (based  on  the  severity 
of  the  situation)  time  frame. 

Disruptions  in  service  highlight  the  need  for  a  feasible,  practiced  Continuity  of 
Operations  Plan  (COOP)  for  communications  systems  and  facilities.  Based  on  an  analysis  of 
systems  and  functions,  a  COOP  establishes  priorities  and  actions  required  when  major 
emergencies  occur.  Having  one  and  practicing  it  are  critical  to  minimizing  downtime, 
reducing  confusion,  and  clarifying  expectations.  The  attacks  on  the  Pentagon  pointed  out 
some  deficiencies  within  DOD  and  other  government  offices,  including  an  ill-equipped 
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secondary  facility  and  difficulty  in  accounting  for  personnel. 

All  the  Services  are  increasing  user  access  to  networks— which  is  not  necessarily  all 
good  news  for  the  CINCs.  The  impact  of  the  Services’  quest  for  easy  connectivity  for  their 
people  via  Army  Knowledge  Online  (AKO),  One  Air  Force  ...  One  Network,  and  Navy 
Marine  Corps  Internet  (NMCI)  is  hard  to  gauge.  AKO  alone  expects  1.2  million  users.  This 
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includes  active-duty  military,  Army  Reserve,  National  Guard,  civilian,  family  members,  and 
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retired  personnel.  While  each  of  the  Services  expect  these  networks  to  provide  benefits, 
CINCs  should  be  leery  of  lapses  in  training,  security  and  interoperability  and  their  overall 
impact  to  the  information  CINCs  need. 

Traffic  overload  on  networks  is  already  an  issue,  especially  in  deployed  locations,  so  it 
stands  to  reason  that  more  people  using  networks  will  increase  the  problem.  Two  facets  of 
saturation  are  occurring— the  human  ability  to  digest  the  information  and  the  volume  of 
information  transiting  the  available  equipment. 

Brigadier  General  Robert  M.  Shea,  USMC,  Director  for  Command,  Control, 
Communications  and  Computers  for  the  Marine  Corps,  cites  information  overload  problems 
as  early  as  the  Gulf  War.  He  states  intelligence  reports  came  from  various  sources  and  up  to 
97  percent  of  the  information  in  those  reports  was  identical,  with  perhaps  3  percent  useful  to 
the  Marines.  “We  got  mesmerized  by  reading  the  same  thing  over  and  over  again,  and  we 
missed  that  three  percent.”*”  Now,  a  decade  later  and  with  capacity  to  generate  more 
information,  warriors  are  still  susceptible  to  not  being  able  to  digest  all  the  information. 

During  a  recent  interview  for  Military  Information  Technology  magazine.  Lieutenant 
General  John  L.  Woodward,  Jr.,  USAF,  Deputy  Chief  of  Staff  for  Communications  and 
Information  at  Headquarters  U.S.  Air  Force,  mentioned  one  of  the  greatest  needs  for 
managing  information  is  software  that  can  analyze  information  and  then  portray  releyant 
information  based  on  the  human’s  need.**  Without  this  assistance,  the  information  may  be 
available;  however,  it  may  not  get  to  the  CINCs  in  a  timely  manner. 

General  Shea  also  commented  about  the  second  facet— volume  of  information 
transiting  the  available  equipment.  He  questioned  the  secret  Internet  protocol  router 
network’s  (SIPRNET)  ability  to  handle  a  sudden  surge  in  traffic  if  the  nonsecure 
(unclassified)  Internet  protocol  router  network  (NIPRNET)  is  unavailable.  He  stated,  “To  me, 
the  SIPRNET  is  the  single  point  of  failure  that  needs  to  be  addressed.  What’s  the  backup  to 
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the  SIPRNET?  What  is  plan  B?  I  haven’t  found  the  answer  to  that  yet.”*^ 

General  Shea  brings  up  some  legitimate  concerns.  Even  if  SIPRNET  can  handle  the 
information,  there  are  other  problems.  Physical  accessibility  is  one  hurdle.  If  NIPRNET 
users  do  not  have  SIPRNET  accounts  or  do  not  have  a  SIPRNET  terminal  in  their  work  area, 
there  will  be  a  delay  until  new  accounts  are  created,  increased  security  problems  by  sharing 
accounts,  or  delays  due  to  insufficient  number  of  terminals.  Conversely,  if  the  SIPRNET  is 
unavailable,  the  biggest  issue  is  how  to  accomplish  the  mission  without  sending  classified 
information  over  the  unclassified  NIPRNET. 

In  the  past  decade,  DOD  made  a  conscious  decision,  for  both  economic  and 
technology  reasons,  to  start  relying  on  commercial  products.  While  sensible  in  some  respects, 
commercial  off-the-shelf  (COTS)  products  should  concern  CINCs  in  other  areas.  Electronic 
equipment  that  was  once  built  specifically  for  military  conditions  is  replaced  by  equipment 
any  individual  can  buy  at  a  local  electronics  store.  This  newer  equipment,  often  designed  for 
a  normal  business  office  or  home,  does  not  necessarily  perform  reliably  under  the  rugged 
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handling  and  environmental  conditions  of  numerous  deployments. 

Eixing  COTS  products  at  a  deployed  location  can  generate  concerns  for  commanders 
if  a  civilian  from  the  business  community  needs  to  come  on-site.  Response  time, 
transportation,  security  clearance,  and  personal  protection  all  become  issues.  Is  the  person  a 
combatant  or  non-combatant?  Will  the  commanders  have  to  expend  resources  to  escort  and 
protect  the  civilian?  What  impact  will  that  have  on  sending  timely  information  to  the  CINCs? 

In  an  effort  to  reduce  the  forward  footprint,  some  communication  support  is  depending 
on  reachback  capability  instead  of  in-theater  equipment  and  personnel.  This  is  a  good  idea  in 
terms  of  personnel  safety  and  support  tail,  but  it  can  leave  CINCs  with  less  control  over  the 
information  timeliness  and  accuracy.  Instead  of  on-site  databases  and  system  administrators, 
the  information  and  expertise  may  be  several  satellite  hops  and  thousands  of  miles  away. 

If  stateside  support  is  furnished  by  contractor  personnel,  a  key  factor  may  be  the  terms 
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of  the  contract.  Hours  of  support,  response  time  to  fix  problems,  and  who  determines  priority 
order  of  fixes  are  just  a  few  things  which  can  affect  the  CINCs’  information.  While  a  goal  of 
outsourcing  is  efficiency,  the  CINCs  can’t  afford  to  find  out  in  the  middle  of  a  crisis  it  meant 
a  reduction  in  services. 

All  issues  mentioned  in  this  section  can  have  a  negative  impact  on  getting  timely, 
accurate  information  to  CINCs;  however,  all  are  controllable  by  DOD  personnel,  whether  by 
the  lowest  ranking  user  or  the  highest  ranking  decision  maker.  The  common  thread  is 
training,  awareness  of  network  impacts,  and  pre-planning  for  potential  problems. 

INADEQUATE  SECURITY 

The  second  area  of  focus  is  security.  Many  good  steps  resulted  from  the  Clinton 
administration’s  policy.  Presidential  Decision  Directive-63  (PDD-63),  to  improve  protection 
of  physical  and  cyber-based  systems  essential  to  the  U.S.  economy  and  government 
operations;  however,  much  work  remains  for  critical  infrastructure  protection.  Issued  in  May 
1998,  PDD-63  tasked  government  agencies  to  participate  in  various  groups  and  appoint 
specific  points  of  contact;  however,  it  based  attempts  to  improve  protection  on  coordination 
and  cooperation,  not  regulation. 

PDD-63’s  annual  progress  report  in  January  2001  shows  over  12  pages  of  DOD 
actions,  illustrating  many  initiatives;  however,  many  actions  improving  procedures  or  network 
enhancements  appear  individual  to  one  organization  and  not  necessarily  applied  over  all  the 
organizations.'^  A  consolidated  approach  would  reap  greater  benefits. 

Richard  Clarke,  formerly  the  National  Security  Council’s  (NSC)  Coordinator  for 
Security,  Infrastructure  Protection  and  Counterterrorism,  said  the  NSC  did  not  want  a  czar  for 
information  technology  (IT)  nor  did  it  want  to  create  an  agency  responsible  for  overseeing 
security  for  all  agencies’  information.'*’  President  Bush  issued  an  Executive  Order  which 
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modified  the  previous  PDD-63  approach.  He  created  the  “President’s  Critical  Infrastructure 

Protection  Board”  and  named  Mr.  Clarke  as  the  Board  Chair  and  Special  Advisor  to  the 

President  for  Cyberspace  Security.  Again,  the  Board  is  a  “coordinating”  committee.*^ 

“Coordinating”  offices,  without  “control”  will  continue  to  leave  the  government  with  a 

conglomeration  of  systems  with  various  levels  of  security. 

Even  with  increased  emphasis  on  security,  the  CINCs  cannot  assume  security  is 

incorporated  into  the  systems  they  use.  Numerous  government  agencies,  including  DOD,  got 

an  “F”  for  IT  security  planning  in  2001  from  a  congressional  subcommittee.  The  evaluation, 

required  by  the  Government  Information  Security  Reform  Act  (GISRA),  may  have  an  affect 

on  budgets.  The  Office  of  Management  and  Budget,  using  its  control  over  purse  strings,  may 
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use  the  GISRA  data  to  stop  funding  projects  that  do  not  adequately  address  security.  Until 
this  criteria  is  enforced  in  every  system,  the  CINCs’  information  remains  vulnerable. 

Deeply  entwined  with  many  other  issues,  decisions  are  constantly  made  balancing 
security  with  functionality.  As  Michael  J.  Jacobs,  Director  of  the  Information  Assurance 
Directorate  at  the  National  Security  Agency  (NSA),  states,  functionality  and  security  are  “not 
necessarily  complementary”  and  “managers  frequently  must  sacrifice  functionality  to  achieve 
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security. 

Rich  Pethia,  Director  of  the  Computer  Emergency  Response  Team  which  was 
established  in  1988  to  be  the  point  of  contact  for  the  Internet  community,  believes  the 
computer  industry  focuses  its  engineering  for  ease  of  use  and  not  on  ease  of  security 

administration.  He  further  states  there  are  not  enough  technical  experts  who  really  know  how 

20 

to  set  up  and  manage  secure  systems  properly.  While  CINCs  want  the  easiest,  fastest 
methods  to  process  information,  especially  during  contingencies,  a  delicate  balance  between 
functionality  and  security  needs  to  be  achieved. 

Newer  technologies  like  personal  digital  assistants  and  wireless  local  area  networks 
(EANs)  are  attractive  not  only  in  daily  activities,  but  also  in  deployed  locations.  Both  present 
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some  security  vulnerabilities  which  should  leave  CINCs  suspicious  of  using  them  in  large 

quantities  until  better  security  is  developed  and  implemented.  For  example,  virus  checkers 
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and  intrusion  detection  systems  used  on  wired  LANs  do  not  exist  for  wireless  LANs. 

Sometimes  enacting  security  measures  has  negative  side  affects.  For  instance, 
Defense  Message  System  (DMS)  users  need  a  card  (called  Fortezza)  to  send  messages.  The 
cards  are  created  on  a  specific  computer  and  given  to  the  user.  If  security  policy  regarding 
that  computer  is  breached,  then  all  the  cards  created  on  that  computer  are  invalidated  and  the 
user  has  to  get  a  new  card.  Normally  locked  out  of  DMS  until  that  new  card  arrives,  the  user 
would  be  unable  to  send  any  messages.  This  can  cause  a  significant  mission  impact 

depending  on  actions  needed  to  fix  the  situation  and  on  the  number  of  cards  that  must  be  re- 
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created. 

CINCs  should  be  aware  of  that  example  as  DOD  is  implementing  another  security 
enhancement  via  the  Common  Access  Card  (CAC).  In  addition  to  replacing  the  current 
armed  forces  identification  card,  the  CAC  has  a  computer  chip  on  the  card  which  allows  the 
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user  to  log  on  to  the  computer,  encrypt  e-mail,  and  digitally  sign  documents.  Circumstances 
similar  to  the  Fortezza  card  could  result. 

System  administrators  are  also  hampered  by  the  quality  of  the  security  products 
available  to  use.  DOD  and  intelligence  organizations  are  “increasingly  frustrated  over  the 
tendency  to  bring  commercial  security  products  to  market  before  they  are  fully  evaluated  and 
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all  glitches  fixed.’  Michael  Jacobs  goes  a  step  further  and  states,  “the  commercial  sector 


cannot  provide  sufficient  security  solutions  for  the  NSA’s  constituency  in  government. 
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LACK  OF  INTEROPERABILITY 


The  final  area  to  examine  is  interoperability.  Lieutenant  General  Joseph  K.  Kellogg 
Jr.,  USA,  Director,  Command,  Control,  Communications  and  Computer  Systems  (J-6),  the 
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Joint  Staff,  stated  the  most  important  goal  for  J-6  today  is  interoperability.  Problems  occur 
because,  as  General  Kellogg  says,  “under  the  current  Title  X  authority,  the  services  train, 
maintain,  and  equip  their  forces.  They  build  the  systems  with  service  intent  in  mind,  and  then 
work  the  joint  piece  later  in  the  process.’^'’  “Add-on”  interoperability  can  result  in 
modifications  to  the  systems  which  affect  functionality  and/or  security. 

Since  changes  to  computer  programs  and  systems  are  constantly  being  made, 
interoperability  will  always  be  an  issue.  DOD  Directive  4630.5  and  DOD  Instruction  4630.8 
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mandate  joint  and  combined  certification  testing  for  systems  in  use  by  U.S.  forces.  The 
primary  facility  to  conduct  the  testing  is  the  Defense  Information  Systems  Agency’s  Joint 

Interoperability  Test  Command  (JITC)  at  Fort  Huachuca,  Arizona.  JITC  is  tracking  down 
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systems  in  use  which  have  not  been  certified  for  interoperability.  Currently,  CINCs  cannot 
be  assured  all  their  systems  are  working  together  to  provide  them  accurate  information. 

The  leadership  push  towards  commercial  off-the-shelf  (COTS)  equipment  is  a  concern 
in  this  area  too.  COTS  products  can  meet  established  standards  and  still  not  be  interoperable. 
Standards  normally  are  not  written  specifically  enough  to  ensure  interoperability.  One 
example  is  two  computer  programs  displaying  graphical  pictures  on  a  screen.  One  user 
marked  a  target  and  saved  the  information  in  one  program.  Another  user  tried  to  display  the 
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same  target  using  a  different  program;  however,  it  showed  the  target  as  another  object.  A 
problem  like  that  could  lead  to  a  friendly  fire  casualty  or  major  political  issue. 

Another  example  pertains  to  the  inventory  of  chemical  and  biological  warfare 
personnel  protection  equipment.  Currently,  there  are  at  least  nine  systems  used  to  track  the 
inventory  of  protective  equipment  and  they  are  not  interoperable  with  the  Defense  Logistics 
Agency  (DLA)  system.  In  fact,  the  systems  use  different  data  fields  and  some  do  not  contain 
relevant  information  about  lot  numbers  or  expiration  dates;  therefore,  there  is  no  easy  method 
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to  determine  the  availability  of  equipment.  It  can  take  a  manual,  labor-intensive  process  to 
determine  force  protection  status  against  chemical  and  biological  warfare. 
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Magnifying  the  frustration  of  this  issue  are  current  development  efforts.  The  Air 
Force  and  Marine  Corps  are  developing  new  inventory  systems;  however,  neither  is 
interoperable  with  the  other  systems  used  by  DOD.  Even  though  the  GAO  recommended 
DLA  standardize  to  one  of  those  systems,  DLA  is  working  on  another  system  that  won’t  be 
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ready  until  2005.  At  a  minimum,  resources  are  being  wasted  on  duplicate  efforts  and  there 
is  still  no  guarantee  the  solution  will  be  interoperable  or  that  each  service  will  use  the  same 
solution. 

As  General  Kellogg  says,  “It  is  that  services  acquire,  by  law,  for  themselves,  and  joint 
thoughts  only  come  into  play  late  in  the  acquisition  process.  We  should  begin  to  build  joint 
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first  and  not  leave  it  to  the  last.’  CINCs  are  the  optimal  people  to  endorse  this  ‘jointness 
first”  since  they  are  the  ones  most  affected  if  it  doesn’t  happen. 

Even  more  problems  with  interoperability  occur  when  the  United  States  must  work 
with  coalitions  and  alliances.  Exchanging  timely  information  is  a  big  concern  in  defending 
the  Republic  of  Korea  because  of  equipment  differences,  security  classifications,  frequency 
allocation  issues,  and  terrain.  While  some  manual  interfaces  and  work-arounds  have  been 
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developed,  they  take  precious  time  that  may  not  be  available  in  the  event  of  a  sudden  attack. 

Working  with  North  Atlantic  Treaty  Organization  (NATO)  countries  produces  similar 
interoperability  problems,  but  on  a  larger  scale.  A.T.  Cooper,  executive  coordinator  at  NATO 
Headquarters  Consultation,  Command  and  Control  Staff,  warns  that  the  biggest  inter¬ 
operability  problem  is  with  land  forces  and  it  may  take  six  years  before  nations  fully  meet 
interoperability  standards. 


COUNTER-ARGUMENT 

Opponents  of  this  author’s  thesis  will  quickly  argue  external  (enemy)  issues  are  the 
most  likely  menace  to  timely,  accurate  electronic  information  getting  to  the  CINCs. 
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Discounting  the  presentation  of  internal  issues  as  scare  tactics  of  many  things  that  “could”  or 
“may”  happen,  thesis  opponents  can  point  out  external  attacks  “are”  happening  now; 
therefore,  the  CINCs  should  be  more  concerned  about  the  enemy. 

With  a  modest  investment  in  electronic  equipment,  the  enemy  eliminates  time,  space, 
and  force  issues  and  can  be  on  a  more  even  playing  field  with  the  U.S.  in  cyberspace.  An 
enemy  no  longer  needs  large  forces  or  close  proximity  to  the  physical  battlefield  in  order  to 
dramatically  impact  U.S.  forces.  Since  there  are  3  to  3.5  million  computers  on  the  NIPRNET 
and  70  percent  of  that  network’s  traffic  transits  the  Internet,  DOD  is  quite  vulnerable  to 
external  cyber  attacks. 

Dealing  with  the  constant  computer  attacks  on  Pentagon  networks,  the  JTF-CNO  was 
on  an  “at-war  footing”  even  before  September  11th.  According  to  JTF-CNO  statistics, 
unauthorized  “events”  (any  access  attempt  by  an  unathorized  user)  against  DOD  computers  is 
rapidly  increasing.  Rising  from  5,844  in  1998  to  23,662  in  2000,  the  expected  2001  figure 
was  over  40,000— and  that  estimate  was  prior  to  the  September  terrorism.^* 

One  of  the  successful  attacks  was  a  big  news  story  in  summer  2001.  Within  a  week, 
the  Code  Red  Worm  virus  and  variants  infected  over  200,000  Internet  computers.  While  the 
objective  appeared  to  be  to  create  a  log-jam  on  the  Internet  and  not  actually  alter  information 
on  specific  DOD  databases,  it  caused  numerous  problems  at  DOD  locations  and  degraded  the 
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NIPRNFT  connection  with  the  Internet. 

Also,  successful  cyber  attacks  by  politically  motivated  people  are  escalating  regional 
tensions.  One  example  is  the  Pakistan-India  conflict.  In  1999,  pro-Pakistan  groups  had  only 
45  successful  attacks  on  Indian  web  sites  for  the  whole  year.  In  contrast,  there  were  275  in 
the  first  8  months  of  2001.  One  pro-Pakistan  group  also  defaced  U.S.  web  sites  belonging  to 
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the  Department  of  Energy  and  the  Air  Force.  Another  example  is  the  Israeli-Palestinian 
cyber  conflicts  which  have  defaced  200  web  sites  since  October  2000.  There  were  targets  in 
at  least  19  countries  aimed  at  a  wide  gamut  of  domains,  including  terrorist/extremist. 
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commercial,  technology,  financial,  media,  health,  and  education  sites. 

Activities  like  these  by  a  group  intent  on  causing  damage,  rather  than  just  being  an 
annoyance,  could  spell  huge  problems  for  CINCs.  Not  only  would  they  have  problems  trying 
to  communicate  with  DOD  personnel,  but  also  with  other  government  departments  and  non¬ 
government  agencies. 

Other  potential  enemies  are  also  positioning  themselves  for  cyber  attacks.  One  person 
who  thinks  the  threat  of  cyber  terrorism  is  very  real  is  Yonah  Alexander,  a  senior  fellow  at 
Potomac  Institute  for  Policy  Studies,  an  Arlington,  Virginia  think  tank.  One  of  his  concerns  is 
the  Iraq  Net,  a  series  of  over  100  Web  sites  located  in  domains  throughout  the  world.  He 
feels  Saddam  Hussein  would  not  hesitate  to  use  it  to  overwhelm  the  United  States’  critical 
cyber-based  infrastructures.^” 

Based  on  these  examples,  opponents  of  the  author’s  thesis  view  the  external  threats  as 
the  most  likely  menace  to  timely,  accurate  information  gathering  and  management  for  the 
CINCs. 


CONCLUSIONS 

While  a  relatively  small  number  of  potential  enemies  have  the  expertise  and  access  to 
penetrate  and  damage  DOD  systems,  the  sheer  number  of  DOD  users  and  the  number  of 
systems  they  can  access  present  a  greater  potential  for  problems.  The  majority  of  issues 
mentioned  in  this  paper  were  in  the  human  factor  realm,  either  among  the  people  authorized 
access  to  systems  or  those  people  in  positions  to  make  decisions  about  those  systems.  That 
means  many  solutions  are  within  the  CINCs’  sphere  of  control  or  influence. 

Thinking  the  communications/computer  people  will  dig  into  their  technical  toolbox 
and  magically  find  the  answer  is  unrealistic.  While  advanced  technology  can  solve  some  of 
the  issues,  human  decisions  are  the  key  factor.  It’s  going  to  take  the  CINCs’  personal 
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involvement  to  bring  about  changes  in  deliberate  personnel  actions/decisions,  inadequate 
security,  and  lack  of  interoperability. 

The  average  person  in  DOD  or  involved  in  providing  DOD  products  has  good 
intentions,  believes  in  technology,  and  has  a  desire  to  get  new  capabilities  to  warfighters. 
However,  whether  through  lack  of  knowledge,  desire  for  ease  of  use,  competitiveness,  lack  of 
“big  picture”  thinking,  or  inattention  to  detail,  people  are  doing  things  which  jeopardize  the 
speed  and  accuracy  of  the  information  they  want  to  get  to  the  CINCs. 

While  there  are  legitimate  concerns  about  enemy  attacks,  the  CINCs  have  more  ability 
to  improve  the  internal  problems.  Services  can  assist  by  thinking  “joint”  from  the  conception 
of  a  system.  If  the  CINCs  and  Services  concentrate  their  efforts  on  resolving  the  internal 
problems,  then  DOD  can  focus  more  resources  on  external  issues. 

Added  protection  against  external  attacks,  however,  will  not  solve  the  existing  internal 
problems.  The  internal  issues  will  still  be  the  most  likely  nemesis  to  getting  timely,  accurate 
information  to  the  CINCs  if  the  CINCs  do  not  personally  endorse  changes. 

RECOMMENDATIONS 

CINCs  need  to  be  the  strongest  advocates  for  correcting  internal  problems  to  ensure 
timely,  accurate  information.  While  the  J6s  will  do  most  of  the  leg-work,  everyone  using  or 
furnishing  communications  equipment  or  services  must  know  the  CINCs  definitely  endorse 
the  efforts.  Provided  below  is  a  checklist  of  items  for  CINCs  to  implement  within  their  sphere 
of  control  or  sphere  of  influence.  While  not  exhaustive,  the  list  includes  key  items  relevant  to 
curbing  the  internal  problems. 

Items  Within  the  CINC’s  Sphere  of  Control 

-  Clearly  state  (via  policy  letters,  staff  meetings,  etc.)  the  expected  actions  regarding 
passwords,  new  software,  disk  usage,  etc. 
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-  Ensure  appropriate  discipline/ramifications  (counseling,  reprimands,  revoke  access, 
re-training,  etc.)  accompany  non-compliance. 

-  Emphasize  J6  role  in  providing  essential  support  to  the  warfighter  requires  proper 
coordination  on  all  communications  issues. 

-  Ensure  appropriate  training  is  conducted  and  support  time  for  training. 

-  Ensure  operation  of  communications  equipment/systems  meets  mission  needs 
regarding  hours  of  support,  backup  of  files,  etc.  while  maintenance  occurs  without  a 
negative  impact  to  daily  operations. 

-  Ensure  adherence  to  JTE-CNO  guidance  concerning  reporting  problems  and 
implementing  fixes  to  known  security  problems. 

-  Ensure  a  viable  Continuity  of  Operations  Plan  (COOP)  is  maintained  and 
periodically  tested. 

-  Work  with  DISA  to  determine  which  systems  have  not  passed  interoperability  testing 
and  schedule  them  for  certification. 


Items  Within  the  CINC’s  Sphere  of  Influence 

-  Use  the  Integrated  Priority  Eist  to  highlight  communications  security  issues. 

-  Ensure  an  appropriate  support  tail  (training,  spare  parts,  etc.)  exists  for  all  systems. 

-  Request  notification  of  changes  in  services  (hours  of  support,  levels  of  service, 
scheduled  maintenance  outages,  etc.)  at  supporting  sites. 

-  Encourage  maintenance  of  a  viable  COOP  at  supporting  sites  and  assist  in 
establishing  appropriate  testing  times. 

-  Ensure  new  systems/major  modifications  undergo  DISA’s  interoperability  testing  as 
mandated  by  DOD  Directive  4630.5  and  DOD  Instruction  4630.8. 

-  Support  a  joint  approval  process  before  a  system  is  developed/purchased. 


If  the  CINCs  implement  these  recommendations,  they  will  be  well  on  their  way  to 
ensuring  they  have  the  right  information  at  the  right  time  to  plan  and  fight  any  war. 
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